As clients well know, ISO 22398 lays out the procedures necessary for planning, implementing, managing, evaluating, reporting, and improving crisis exercises, as well as the testing designs needed to assess the crisis-readiness of an organization.
But what exactly do your clients need to implement ISO 22398? Read on to find out.
Practical recommendations in ISO 22398
For starters, the ISO 22398 standard itself instructs complying organizations that they will need to conduct a needs and gap analysis. Why? The purpose of this analysis will be to establish the need for exercises and testing in the first place.
For clients, this pre-testing analysis also signals the importance of exercises and testing in managing business risks. The practical import in that is it helps client stakeholders (including senior leadership) understand that conducting exercises and testing is needed to manage risks.
What questions might clients ask to get started with this planning stage of the testing process? Common questions include:
- Does the exercises and testing plan address requirements for exercises and testing?
- Can this plan promote consensus with interested parties?
- Does the plan offer an opportunity to reach and interact with its target group(s) and potentially address their interests?
- Does this plan provide an opportunity to address multiple issues in depth?
- Does this plan focus on key issues?
- Does the plan provide information tailored to the target group(s)?
- Is this plan practical and relatively easy to implement?
- Does the plan provide for information transfer at relatively low cost?
- Is this plan easy to update?
- Is the effectiveness of this plan measurable?
- Is this plan a good vehicle for education?
- Is this plan creating a constructive and supportive atmosphere?
- Is this plan an effective way to get publicity or increase public awareness?
- Does the plan conform to the organization's constraints?
Turning practical recommendations into action with digital technology capabilities
How about turning these recommendations into action? Clients looking to establish their own crisis testing and exercise capability efficiently in compliance with ISO 22398 should look into integrated resilience management software.
Why’s that?
Well, these are the software solutions that can help clients (1) better anticipate and identify trends, (2) prevent situations that may generate an interruption, and (3) respond more efficiently to disruptions that do arise.
What else do they do?
The platforms also work to better fuse the planning and exercise management competencies together within the greater business continuity and resilience management program.
How, exactly?
Well, the platforms in question function as plans. That means when clients need to develop their resilience plans, all the data they have previously entered seamlessly comes together.
This way managers don’t have to go sifting through documents to find the data they need, eliminating the risk of someone referencing an out-of-date plan during a crisis.
What’s more, because the plan is in the platform, multiple client stakeholders can collaborate on the development and updating of the plan, which enables better engagement.
All data associated with building plan is managed centrally, in a controlled way. And data points only need be captured once and updated, which reduces the risk of duplication.
The platform as plan approach leads to more efficient exercise management, as does the platform’s own enhanced exercise management functionality. How, exactly? Download our guide, Digital Technology Needed to Implement ISO 22398 to find out.